yoink@tumblr ~ % date

25th October 2005

yoink@tumblr ~ % less 1130212800.txt

SSHKeychain totally rules

I was trying out public key only ssh authentication to lock down my testbed box at work. After I made the keys and got comfortable with the whole process, I thought I’d try out SSHKeychain. It’s really nice, once you figure it out. Not a whole lot of documentation to speak of though. Now that it’s up though, it does the work of two applications since it can also handle tunneling. Oh and it gives you the choice of dock or menu item like all real utilities should.

First things first, create let’s create our key.

$ ssh-keygen -t dsa
Enter file in which to save the key (/Users/dedi/.ssh/id_dsa):
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/dedi/.ssh/id_rsa.
Your public key has been saved in /Users/dedi/.ssh/id_dsa.pub.
The key fingerprint is:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX dedi@snicker

Now we need to get the contents of .ssh/id_dsa.pub into the .ssh/authorized_keys files on the remote servers we want to use.

$ scp .ssh/id_dsa.pub user@remote.server.com
$ ssh user@remote.server.com
user@remote $ cat id_dsa.pub >> .ssh/authorized_keys
user@remote $ chmod 600 .ssh/authorized_keys
user@remote $ rm id_dsa.pub

Now to test it let’s try connecting to the remote server again.

$ ssh user@remote.com
Enter passphrase for key '/Users/dedi/.ssh/id_dsa':

Success. So the hard part is now over. On to the fun stuff. Go get SSHKeychain. Once that’s installed, run it and open Preferences > Environment. Make sure that “Manage (and modify) global environment variables” is checked.

Okay. This is the most important part (ie: the one I forgot): logout. Logout and then log back in and like magic your environment will now be aware of your lovely new SSHKeychain.

Now when you attempt to connect to any of your remote servers that work with your key, you’ll get an initial nudge from SSHKeychain and then not again until you lock your keychain or you put the computer to sleep. You can adjust the timeouts and other security settings in the Preferences.

Oh joy, but don’t forget about tunnels. In the tunnel section of Preferences, you can setup a new tunnel by giving it a name, remote server with login and local or remote ports. Let’s say you want to do a local forward for MySQL. Under Local Ports enter

Local Port 3307 (my end)
Remote Host 127.0.0.1
Remote Port 3306 (remote mysql server)

You can have the tunnel launch when you add your keys or on waking and startup. How convenient.

Go forth and be secure.

yoink@tumblr ~ % notes -v $post

yoink@tumblr ~ %

yoink@tumblr ~ % less About.txt